Introduction

Users of the Tor network run an onion proxy on their machine. This software connects out to Tor, periodically negotiating a virtual circuit through the Tor network. Tor employs cryptography in a layered manner (hence the 'onion' analogy), ensuring perfect forward secrecy between routers. At the same time, the onion proxy software presents a SOCKS interface to its clients. SOCKS-aware applications may be pointed at Tor, which then multiplexes the traffic through a Tor virtual circuit.

Warning: Tor by itself is not all you need to maintain your anonymity. There are several major pitfalls to watch out for (see: Want Tor to really work?).

Through this process the onion proxy manages networking traffic for end-user anonymity. It keeps a user anonymous by encrypting traffic, sending it through other nodes of the Tor network, and decrypting it at the last node to receive your traffic before forwarding it to the server you specified. One trade off that has to be made for the anonymity Tor provides is that it can be considerably slower than a regular direct connection, due to the large amount of traffic re-routing. Additionally, although Tor provides protection against traffic analysis it cannot prevent traffic confirmation at the boundaries of the Tor network (i.e. the traffic entering and exiting the network).

Configuration

By default Tor reads configurations from the file /etc/tor/torrc. The configuration options are explained in tor(1) and the Tor website. The default configuration should work fine for most Tor users.

There are potential conflicts between configurations in torrc and those in tor.service.

In torrc, RunAsDaemon should, as by default, be set to 0, since Type=simple is set in the [Service] section in tor.service.

In torrc, User should not be set unless User= is set to root in the [Service] section in tor.service.

Relay Configuration

The maximum file descriptor number that can be opened by Tor can be set with LimitNOFILE in tor.service. Fast relays may want to increase this value.

If your computer is not running a webserver, and you have not set AccountingMax, consider changing your ORPort to 443 and/or your DirPort to 80. Many Tor users are stuck behind firewalls that only let them browse the web, and this change will let them reach your Tor relay. If you are already using ports 80 and 443, other useful ports are 22, 110, and 143.[1]
But since these are privileged ports, to do so Tor must be run as root, by setting User=root in tor.service and User tor in torrc.

Note: Symlinks for nspawn are currently broken (as of 2016-02-04; see https://github.com/systemd/systemd/issues/2001), and will give you a "too many levels of symlinks" error. As a (possibly insecure) workaround, simply pacstrap your install to the container directory instead.

--network-macvlan=$INTERFACE --private-network automagically creates a macvlan named mv-$INTERFACE inside the container, which is not visible from the host. --private-network is implied by --network-macvlan= according to systemd-nspawn(1).
This is advisable for security as it will allow you to give a private IP to the container, and it won't know what your machine's IP is. This can help obscure DNS requests.

Usage

To use a program over tor, configure it to use 127.0.0.1 or localhost as a SOCKS5 proxy, with port 9050 (plain tor with standard settings).
To check if Tor is functioning properly visit the Tor, Harvard or Xenobite.eu websites.

Web browsing

The Tor Project currently only supports web browsing with tor through the Tor Browser, which can be downloaded from the AUR. It is built with a patched version of the Firefox extended support releases. Tor can also be used with regular Firefox, Chromium and other browsers, but this is not recommended by the Tor Project.

Chromium

The --proxy-server="socks5://myproxy:8080" flag tells Chrome to send all http:// and https:// URL requests through the SOCKS proxy server "myproxy:8080", using version 5 of the SOCKS protocol. The hostname for these URLs will be resolved by the proxy server, and not locally by Chrome.

Warning: Proxying of ftp:// URLs through a SOCKS proxy is not yet implemented[2].

The --proxy-server flag applies to URL loads only. There are other components of Chrome which may issue DNS resolves directly and hence bypass this proxy server. The most notable such component is the "DNS prefetcher". Hence if DNS prefetching is not disabled in Chrome then you will still see local DNS requests being issued by Chrome despite having specified a SOCKS v5 proxy server. Disabling DNS prefetching would solve this problem, however it is a fragile solution since once needs to be aware of all the areas in Chrome which issue raw DNS requests. To address this, the next flag, --host-resolver-rules="MAP * ~NOTFOUND , EXCLUDE myproxy", is a catch-all to prevent Chrome from sending any DNS requests over the network. It says that all DNS resolves are to be simply mapped to the (invalid) address ~NOTFOUND (think of it as 0.0.0.0). The "EXCLUDE" clause make an exception for "myproxy", because otherwise Chrome would be unable to resolve the address of the SOCKS proxy server itself, and all requests would necessarily fail with PROXY_CONNECTION_FAILED.

Extension

Once installed enter in its configuration page. Under the tab Proxy Profiles add a new profile Tor, if ticked untick the option Use the same proxy server for all protocols, then add localhost as SOCKS Host, 9050 to the respective port and select SOCKS v5.

Optionally you can enable the quick switch under the General tab to be able to switch beetween normal navigation and Tor network just by left-clicking on the Proxy SwitchySharp's icon.

Luakit

Warning: It will not be hard for an observer to identify you by the rare user-agent string, and there may be further issues with Flash, JavaScript or similar.

You can simply run:

$ torsocks luakit

HTTP proxy

Tor can be used with an HTTP proxy like Polipo or Privoxy, however the Tor dev team recommends using the SOCKS5 library since browsers directly support it.

Firefox

The FoxyProxy add-on allows you to specify multiple proxies for different URLs or for all your browsing. After restarting Firefox manually set Firefox to port 8118 on localhost, which is where Polipo or Privoxy are running. These settings can be access under Add > Standard proxy type. Select a proxy label (e.g Tor) and enter the port and host into the HTTP Proxy and SSL Proxy fields. To check if Tor is functioning properly visit the Tor Check website and toggle Tor.

Polipo

The Tor Project has created a custom Polipo configuration file to prevent potential problems with Polipo as well to provide better anonymity.

Keep in mind that Polipo is not required if you can use a SOCKS 5 proxy, which Tor starts automatically on port 9050. If you want to use Chromium with Tor, you do not need the Polipo package (see: #Chromium).

Privoxy

You can also use this setup in other applications like messaging (e.g. Jabber, IRC). Applications that support HTTP proxies you can connect to Privoxy (i.e. 127.0.0.1:8118). To use SOCKS proxy directly, you can point your application at Tor (i.e. 127.0.0.1:9050). A problem with this method though is that applications doing DNS resolves by themselves may leak information. Consider using Socks4A (e.g. with Privoxy) instead.

Instant messaging

In order to use an IM client with tor, we do not need an http proxy like polipo/privoxy. We will be using tor's daemon directly which listens to port 9050 by default.

Pidgin

You can set up Pidgin to use Tor globally, or per account. To use Tor globally, go to Tools -> Preferences -> Proxy. To use Tor for specific accounts, go to Accounts > Manage Accounts, select the desired account, click Modify, then go to the Proxy tab. The proxy settings are as follows:

Proxy type SOCKS5
Host 127.0.0.1
Port 9150

Note that some time in 2013 the Port has changed from 9050 to 9150 if you use the Tor Browser Bundle. Try the other value if you receive a "Connection refused" message.

Irssi

This article or section is out of date.

Reason:cap_sasl.pl is broken with perl 5.20; SSL does also not work with torsocks (Discuss in Talk:Tor#)

Freenode recommends connecting to .onion directly. It also requires charybdis and ircd-seven's SASL mechanism for identifying to nickserv during connection; see Irssi#Authenticating with SASL. Start irssi:

$ torsocks irssi

Set your identification to nickserv, which will be read when connecting. Supported mechanisms are ECDSA-NIST256P-CHALLENGE (see ecdsatool) and PLAIN. DH-BLOWFISH is no longer supported.

/sasl set networkusernamepasswordmechanism

Disable CTCP and DCC and set a different hostname to prevent information disclosure: [3]

Pacman

Pacman download operations (repository DBs, packages, and public keys) can be done using the Tor network.

Advantages:

Attackers that can monitor your Internet connection and that specifically targets your machine cannot watch the updates anymore and, because of that, they cannot deduce the packages you have installed, how up to date they are, when or how frequently you update them. An attacker can still learn what software and the versions you use by other means, for instance watching the packets from your http server or probing the machine will show that you have an http server installed and its version.

If the mirror is not an onion, a malicious exit nodes you are going through can watch the updates, and may decide to attack you, however they probably cannot know who they are attacking.

Attackers trying to make your machine believe that there are no new updates to prevent it from getting security fixes will have a harder time doing it since they cannot target your machine specifically.

Disadvantages:

Longer updates times due to Longer latency and lower throughput. This can be a big security risk if/when the updates needs to be done as fast as possible, especially on machines directly connected to the Internet. That is the case when there is a huge security flaw, and that the flaws are fast to probe, easy to exploit, and that attackers have already started targeting as many systems as they can before the systems are updated.

Reliability with Tor:

You don't need a working DNS anymore.

You depend on the Tor network and the exit nodes not blocking the updates.

You depend on the Tor daemon to work properly. The Tor daemon may not work if there is no more disk space available to it. "Reserved blocks gid:" in ext4, quotas, or other means can fix that.

If you are in a country where Tor is blocked, or that there are almost or no Tor users at all, you should use bridges.

Note on gpg:

On stock arch, pacman only trust keys which are either signed by you (That can be done with pacman-key --lsign-key) or signed by 2 of 5 Arch master keys. If a malicious exit node replaces packages with ones signed by its key, pacman will not let the user install the package.

Warning: This might not be true for other distributions derived from ARCH, for non-official repositories and for AUR

Troubleshooting

If you get "Could not bind to 0.0.0.0:443: Permission denied" errors on startup, you will need to pick a higher ORPort (e.g. 8080), or perhaps forward the port in your router.

Running a Tor relay

This means that your machine will act as an entry node or forwarding relay and, unlike a bridge, it will be listed in the public Tor directory. Your IP address will be publicly visible in the Tor directory but the relay will only forward to other relays or Tor exit nodes, not directly to the internet.

Running a Tor exit node

Any requests from a Tor user to the regular internet obviously need to exit the network somewhere, and exit nodes provide this vital service. To the accessed host, the request will appear as having originated from your machine. This means that running an exit node is generally considered more legally onerous than running other forms of Tor relays. Before becoming an exit relay, you may want to read Tips for Running an Exit Node With Minimal Harassment.

Configuration

Using the torrc, you can configure which services you wish to allow through your exit node.
Allow all traffic:

ExitPolicy reject XXX.XXX.XXX.XXX/XX:* should reflect your public IP and netmask, which can be obtained with the command # ip addr, so exit connections cannot connect to the host or neighboring machines public IP and circumvent firewalls.

AvoidDiskWrites 1 reduces disk writes and wear on SSD.
DisableAllSwap 1 "will attempt to lock all current and future memory pages, so that memory cannot be paged out".

arm

If ControlPort 9051 and CookieAuthentication 1 is specified in /etc/tor/torrc, arm can be started with sudo -u tor arm.
If you want to watch Tor connections in armDisableDebuggerAttachment 0 must also be specified.

iptables

Setup and learn to use iptables. Instead of being a Simple stateful firewall where connection tracking would have to track thousands of connections on a tor exit relay this firewall configuration is stateless.

This will allow Tor to accept DNS requests (listening on port 9053 in this example) like a regular DNS server, and resolve the domain via the Tor network. A downside is that it is only able to resolve DNS queries for A-records; MX and NS queries are never answered. For more information see this Debian-based introduction.

DNS queries can also be performed through a command line interface by using tor-resolve. For example:

$ tor-resolve archlinux.org
66.211.214.131

Using TorDNS for all DNS queries

It is possible to configure your system, if so desired, to use TorDNS for all queries your system makes, regardless of whether or not you eventually use Tor to connect to your final destination. To do this, configure your system to use 127.0.0.1 as its DNS server and edit the 'DNSPort' line in /etc/tor/torrc to show:

DNSPort 53

Alternatively, you can use a local caching DNS server, such as dnsmasq or pdnsd, which will also compensate for TorDNS being a little slower than traditional DNS servers. The following instructions will show how to set up dnsmasq for this purpose.

Change the tor setting to listen for the DNS request in port 9053 and install dnsmasq.

Modify its configuration file so that it contains:

/etc/dnsmasq.conf

no-resolv
port=53
server=127.0.0.1#9053
listen-address=127.0.0.1

These configurations set dnsmasq to listen only for requests from the local computer, and to use TorDNS at its sole upstream provider. It is now neccessary to edit /etc/resolv.conf so that your system will query only the dnsmasq server.

/etc/resolv.conf

nameserver 127.0.0.1

Start the dnsmasq daemon.

Finally if you use dhcpd you would need to change its settings to that it does not alter the resolv configuration file. Just add this line in the configuration file:

/etc/dhcpcd.conf

nohook resolv.conf

If you already have an nohook line, just add resolv.conf separated with a comma.

Torsocks

torsocks will allow you use an application via the Tor network without the need to make configuration changes to the application involved. From the man page:

torsocks is a wrapper between the torsocks library and the application in order to make every Internet communication go through the Tor network.

Transparent Torification

In some cases it is more secure and often easier to transparently torify an entire system instead of configuring individual applications to use Tor's socks port, not to mention preventing DNS leaks. Transparent torification can be done with iptables in such a way that all outbound packets are redirected through Tor's TransPort, except the Tor traffic itself. Once in place, applications do not need to be configured to use Tor, though Tor's SocksPort will still work. This also works for DNS via Tor's DNSPort, but realize that Tor only supports TCP, thus UDP packets other than DNS cannot be sent through Tor and therefore must be blocked entirely to prevent leaks. Using iptables to transparently torify a system affords comparatively strong leak protection, but it is not a substitute for virtualized torification applications such as Whonix, or TorVM [4]. Transparent torification also will not protect against fingerprinting attacks on its own, so it is recommended to use it in conjunction with the Tor Browser (search the AUR for the version you want: https://aur.archlinux.org/packages/?K=tor-browser) or to use an amnesic solution like Tails instead. Applications can still learn your computer's hostname, MAC address, serial number, timezone, etc. and those with root privileges can disable the firewall entirely. In other words, transparent torification with iptables protects against accidental connections and DNS leaks by misconfigured software, it is not sufficient to protect against malware or software with serious security vulnerabilities.

To enable transparent torification, use the following file for iptables-restore and ip6tables-restore (internally used by systemd's iptables.service and ip6tables.service).

Note:

This file uses the nat table to force outgoing connections through the TransPort or DNSPort, and blocks anything it cannot torrify.

Now using --ipv6 and --ipv4 for protocol specific changes. iptables-restore and ip6tables-restore can now use the same file.

Where --ipv6 or --ipv4 is explicitly defined, ip*tables-restore will ignore the rule if it is not for the correct protocol.

ip6tables does not support --reject-with. Make sure your torrc contains the following lines:

Then make sure Tor is running, and start/enable the iptables and ip6tables systemd units.

You may want to add Requires=iptables.service and Requires=ip6tables.service to whatever systemd unit logs your user in (most likely a display manager), to prevent any user processes from being started before the firewall up. See systemd.

Troubleshooting

Problem with user value

If the tor daemon failed to start, then run the following command as root (or use sudo)

# tor

If you get the following error

May 23 00:27:24.624 [warn] Error setting groups to gid 43: "Operation not permitted".
May 23 00:27:24.624 [warn] If you set the "User" option, you must start Tor as root.
May 23 00:27:24.624 [warn] Failed to parse/validate config: Problem with User value. See logs for details.
May 23 00:27:24.624 [err] Reading config failed--see warnings above.

Then it means that the problem is with the User value, which likely means that one or more files or directories in your /var/lib/tor directory is not owned by tor. This can be determined by using the following find command:

find /var/lib/tor/ ! -user tor

Any files or directories listed in the output from this command needs to have its ownership changed. This can be done individually for each file like so:

chown tor:tor /var/lib/tor/filename

Or to change everything listed by the above find example, modify the command to this:

find /var/lib/tor/ ! -user tor -exec chown tor:tor {} \;

Tor should now start up correctly.

Still if you cannot start the tor service, run the service using root (this will switch back to the tor user). To do this, change the user name in the /etc/tor/torrc file:

User tor

Now modify the systemd's tor service file /usr/lib/systemd/system/tor.service as follows

[Service]
User=root
Group=root
Type=simple

The process will be run as tor user. For this purpose change user and group ID to tor and also make it writable: